Hello there friends, please explain me how it is with custom dns, adguard for example. I know with standard setttings my isp see everything, but if i will use some encrypted dns what they will see exactly? I know one thing - if i visit for example 9gag they will see that, but if i click memes category on that site they will know i clicked on that category or not? I also know if i want full privacy I must use tor or / with vpn but this time I asking about this situation. Thank you so so much.
Encrypted DNS doesn't really do much for privacy. It does, however, accomplish two main things:
• Ensures the authenticity of the DNS server you're receiving a response from due to the certificate exchange.
• Preserves the integrity of the response as it would be difficult for it to be tampered with in-transit.
The domain names you visit are leaked in plain text regardless of your DNS provider and how you connect to them via the "client hello" process of TLS, specifically the Server Name Indication (SNI) portion. ISPs could, in theory, use this to see which domains you're visiting, even if you're using encrypted DNS, but not the specific pages within the domain.
Note that there are mechanisms like ECH (Encrypted Client Hello) and ESNI (Encrypted Server Name Indication) that attempt to solve the domain name leakage issue, but each require domains that wish to support these technologies to include an entry specific to those in their DNS records to facilitate key exchange for the encryption to be viable. You'll also need a DNS client that supports ECH/ESNI. Very few domains and clients presently do this, meaning it is almost certain all/the vast majority of your visited domains would be transmitted in plain text at this point in time.
Ad and tracker blocking at the DNS level is a solid way to improve privacy right? Whether it be using your VPN's DNS or something like NextDNS.
Yes. In fact, using DNS-based blocking solutions are pretty much the only way to protect against first party trackers that use CNAME cloaking tactics if you're not using a Firefox browser with UBo, since Chromium browsers have no ability to defend against this type of attack (with the exception of Brave as they implemented their own method of protecting against this with their Shields system.)